Third-Party IE Patches Moving Fast As Spam Attack Starts

Tens of thousands of Internet Explorer users aren't waiting for Microsoft Corp. to provide a patch for the critical bug in their browser, and have instead installed unsanctioned fixes from security companies.

On Thursday, a spokesperson for eEye Digital Security said that its workaround had been downloaded by more than 94,000 users, while another security vendor warned that attackers were drawing people with a large-scale spam campaign to malicious Web sites which exploit the flaw.

The vulnerability is in IE's processing of the "createTextRange()" JavaScript method call, and is currently being exploited by hundreds of Web sites, including legitimate sites that have been compromised by hackers. Security organizations have tagged the zero-day bug with "extremely critical" labels, and Microsoft has promised it will patch the flaw no later than April 11, its next regularly-scheduled update.

As in the Windows Metafile (WMF) vulnerability and outbreak of December and January, others have stepped in where Microsoft has been unable to tread. Then, independent researcher Ilfak Guilfan created an unsanctioned patch for the problem. This time, two companies, eEye Digital Security of Aliso Viejo, Calif. and Redwood City, Calif.-based Determina, have proffered patches.

Determina was not able to provide a tally of the number of users who have downloaded its fix.If the createTextRange saga takes the same line as the WMF vulnerability, Microsoft may feel pressured to release a patch "out-of-cycle," or before the April 11 update.

But Marc Maiffret, co-founder of eEye, doesn't think that will happen. "They run a risk if they rush it out," said Maiffret. "That would be the worst case scenario, so I think they'll end up putting it out on the 11th."

On Wednesday, Mike Nash, the head of Microsoft's security efforts, didn't hint at any rush, although he left the door open to an out-of-cycle fix.

"The good news here is that we are on a path to include the fix for the zero day vulnerability as part of the April [11] IE cumulative security update and possibly sooner if our ongoing monitoring and analysis of attempts to exploit vulnerability shows customers are being impacted seriously," Nash wrote on the Microsoft Security Response Center blog.

There's less need for speed this time than in January, Maiffret said, noting that unlike with the WMF bug, there is a workaround for createTextRange: disabling IE's Active Scripting.But Dan Hubbard, senior director of security and research at Websense, said there was some urgency.

The exploit is now being distributed in a massive e-mail spam campaign, he said, using messages posing as links to BBC stories about the U.S. dollar's problems standing firm against the euro and yen. The San Diego-based company posted an advisory Thursday that includes a screenshot of one such e-mail.

"Click on a link and it takes you to the exploit code," said Hubbard. Websense's research, he said, has found that the group spamming the attack was also behind similar attacks that played off fears of the avian flu and the news of the death of Serbian strongman Slobodan Milosevic. Like those earlier attacks, the newest uses a vulnerability to secretly install a variety of malicious software on users' PCs. "It started with bots, then moved to spyware, and now is installing banking keyloggers," Hubbard said.

Although attacks using the createTextRange exploit aren't as widespread as when sites latched onto the WMF flaw late last year, Hubbard said that the worst may still be to come. Websense was watching for signs of an escalation that could dramatically boost the number of sites using the exploit.

"We're watching for a wider spread," said Hubbard, who added that Websense is in frequent contact with Microsoft. "But sometimes waiting for something is dangerous."0